user administrator and roles: how to do with several restricted sections?

Author Message

Daniele P.

Monday 19 January 2004 4:14:00 am

Ez Publish is role-centric because role are assigned to users and
not viceversa.
In this way you have to view all roles (one by one) to know which role is
assigned to one user. This is bad design.
I have the following situation and due to the incomplete role assignment
and managment I can't use eZ publish for my porpouse.

I have 5 restricted areas on my ez publish site.
Some users should have the rights to read form area
1 only, some only from area 2 only, some for all the restricted areas.
So i create 5 roles "view area": view area 1, view area 2... because
is impossible to manage all groups for these combination.

I want to set a simple role for the "user administrator":
- Create new users in "customer group" (and this is simple).
- Assign to the users of "customer group" the right role: one or more
of the "view area" roles.

Is possible?
I can only assign to the "user administrator" the role policy:
role * *
that is too large.

If I can't manage such type of accounting I accept suggestion for
workarounds.

Thanks in Advance.
Daniele

Marco Zinn

Monday 19 January 2004 10:10:41 am

I don't know, how diverse the permission system for the role module is, but i guess, you tried this out.

One workaround would be:
Create 5 User groups ("Readers of Forum 1", "Readers of Forum 2") under the "Customer group".
Assign one of your 5 roles to each group.
Now, by storing users in one or more groups (this is possible), your user admins have control over the read rights.

You must test, if this really works. There WAS a bug with policy inheriting through user groups, but i guess, it's solved now.

Marco
http://www.hyperroad-design.com

Daniele P.

Monday 19 January 2004 12:24:36 pm

It works out of the box for eZ 3.3-1 (3.3).
It's a lot of repetitive work to set ut 5 sections, 5 user gruops and 5 role policies.
I tested the simplest conf:

USERS ROOT
|-- SEC1
| |-- USER1
| '-- USER12
`-- SEC2
|-- USER2
`-- USER12

USER12 can read from SEC1 and SEC2
Now I'm going to test the followings (whic are more useful):

USERS ROOT
`-- COMMONSEC
|-- SEC1
| |-- USER1
| '-- USER12
`-- SEC2
|-- USER2
`-- USER12

USERS ROOT
|-- COMMONSEC1
| |-- SEC1
| | |-- USER11
| | |-- USER12
| | '-- USER1212
| `-- SEC2
| |-- USER12
| |-- USER22
| '-- USER1212
`-- COMMONSEC2
|-- SEC1
| |-- USER1
| |-- USER12
| `-- USER1212
`-- SEC2
|-- USER2
|-- USER12
`-- USER1212

This is not the best solution (I really need a limited role editor, and a speedy setup for policies) but it seems to work.

What about if two user grop have opposite role?
In my test I only add read permission to a section.

Thanks,
Daniele

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.